When to Cut Your Losses on a Wasteful Security Project

In a December 2011 Forbes article entitled "How To Waste $100 Billion: Weapons That Didn't Work Out", author Loren Thompson discusses a number of government weapons programs that were scrapped after billions of dollars were sunk. The circumstances under which each project went south vary, but they do share one very interesting point in common. What is that point? That the question of when to cut losses should have been asked and discussed at several different points along the way. Unfortunately, it never was, and the results speak for themselves.

Managing a large, complex military project is, not surprisingly, extremely complex. Nonetheless, as with any project, checkpoints should be installed along the way to ensure that the project is moving towards achieving its goals on time and within budget. When this doesn’t happen, projects can veer off course into the realm of over time and over budget, as was the case with the projects referenced in Loren Thompson’s Forbes article.

So what does this have to do with information security? I would argue that lessons from the field of project management can offer us valuable insight that we can leverage to improve and strengthen our respective security programs. How so? Allow me to elaborate.

Any information security organization will have a number of different initiatives and projects going on at any given time. This is, of course, in addition to all of the various day-to-day operational activities that occur as well. Each of these will require a certain amount of money, a certain number of resources, and a given amount of time. At the same time, they each contribute differently to the organization’s overall security posture and progress towards completion at different rates. Organizations need to continually evaluate where each effort stands in relation to its allotted budget and schedule, along with the value it brings to the organization’s security posture. Failure to do so can result in the organization expending huge amounts of money, human resources, and time on efforts that do little to improve its security posture or never reach completion.

So what are some ways in which organizations can avoid the trap of a wasteful project Though not an exhaustive list, I provide five suggestions here:

1. Go back to basics: When we ask ourselves how we can assess what activities bring added value to the security organization, we need to go back to basics to find the answer. Boiled to their essence, our respective security programs serve to mitigate the risks and threats we are most concerned about, as well as to address the security goals and priorities we’ve set for ourselves. If we go back to these fundamentals, we very quickly see how we can map the various different efforts underway to the challenges we need them to address for us. Does a given project help address and mitigate a risk or threat? Does it help us meet our goals and achieve our priorities? No? Why are we working on it?

2. Enforce project management: If you think that project management best practices are only for weapons programs and software projects, think again. Everyone should be familiar with project management techniques. Why should security efforts be run any less formally than any other project? How else is the organization supposed to stay on top of everything going on and understand how to measure progress, success, cost, and other key metrics? Is project management more formal of a discipline than many security professionals are used to? Sure. But the time has long since come to get used to it and to start using it.

3. Keep an eye on budgets: It goes without saying that budgets in security are never large enough to cover all of the bases that a security organization wants to cover. So why throw money towards people, process, and technology that don’t bring value? The amount of money being spent on various different efforts should be correlated to the value-add those efforts bring. That allows the security organization to understand where large sums of money are being sunk on initiatives that don’t carry their weight in terms of the value-add they should bring.

4. Keep an eye on schedules: Who loves to see a project run over schedule and be delivered late or never at all? No one. Absolutely no one. So why let things get out of hand? Set up gates and checkpoints along the way to evaluate progress against project goals. Identify issues and stumbling blocks in order to nip them in the bud long before they cascade into additional delays and cost overruns. Staying on top of things allows us to identify potential pitfalls before they turn into major programs that can derail a project.

5. Avoid bright shiny objects: The security profession seems to get distracted by bright shiny objects every now and again. Every so often, a new type of product or service comes along that generates an unwarranted amount of buzz, hype, and hysteria. Often, all of this attention comes without any mapping back to real operational problems that organizations are looking to solve. Some organizations are wise enough to stick to their defined strategies and not to veer off course. But many organizations don’t fare as well and are drawn into the vortex. Unfortunately, getting drawn in often results in lots of money, human resources, and time being spent on “item du jour” projects that don’t go anywhere. More often than not, this year’s must have fad will be next year’s dud with more than a few startups closing their doors when funding runs out. Don’t take the bait. It will only divert precious resources from efforts that can bring the security organization far more value-add.

Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.